Adding Azure AD group to local group fails

Tim 96

The command below fails with error "there is no such global user or group: AzureAd\groupname@keyman .com"

net localgroup administrators "AzureAD\groupname@keyman .com" /Add

I have tried using the SID, no AzureAD, and no domain and all return the same error.

However I can run the same command with a user account and it is successful.

Anshul Kumar (MINDTREE LIMITED) 6 Reputation points

2021-10-09T03:50:14.63+00:00

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

Accepted answer

Tim 96 Reputation points

2021-10-11T15:33:06.377+00:00

The "NET" command seems to be geared more towards AD and using it with AAD produces mixed/unexpected results.

Solution:

Create a new Configuration Profile and choose Custom.

OMA-URI:
./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure

Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U"/>
<add member = "AzureAD Group's SID"/>
</accessgroup>
</GroupConfiguration>
Please sign in to rate this answer.
Kevin Vlasselaer 1 Reputation point

2021-11-11T21:25:32.147+00:00

Hi Tim,

Thank you for sharing this Configuration Profile configuration.

Unfortunately for me the local group is correctly populated with the SID but it seams not working at all.
It seams that event if the SID is added to the group, it's not fully recognized and users in the AAD Group are not "detected".

My goal is :

Create a new Local group to allow members of it to connect to the device (Allow log on locally)

Add the Azure AD Group into this local Group (via your Device Configuration)

Add the new local group into the "Allow Log on locally" policy --> Not possible to add the SID of the AAD group directly in the policy. Reason why I deal with a local group as intermediate

All of this is working fine but users in the Azure AD group are unable to connect to the device...
Sign in to comment

1 additional answer

Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee

2021-07-13T20:46:10.8+00:00

This recommended approach is to sync the local group to Azure AD instead, as Microsoft does not have official guidelines adding groups to a group synced with an on-premises Azure AD.

https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-membership-azure-portal

There is also an open feedback request for this: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32804737-ability-to-add-groups-as-additional-local-administ

That said, this blog post shows how to add an Azure AD group to a local admin group using Intune: https://www.inthecloud247.com/add-an-azure-ad-group-to-the-local-administrators-group-with-microsoft-intune/
Please sign in to rate this answer.
Tim 96 Reputation points

2021-07-13T22:17:18.66+00:00

Thanks for the response.

The group is in AzureAD. I got the SID using using the Get-AzureAdGroup Powershell command and then converted the ObjectId to SID using the script here: https://github.com/okieselbach/Intune/blob/master/Convert-AzureAdObjectIdToSid.ps1

I tried using Intune to add the AzureAD group to the local admin group. Once I enable the policy the AzureAD group's SID showed up in the local admin group. However the users in the AzureAD group still did not have admin access. This leads me to believe that the SID is wrong. Is there any other way to get it without having to do a conversion?

Thanks!!!
Sign in to comment